Registry Run Keys / Startup Folder — Malware Persistence

In the world of today, Cyber Adversaries are on rise. They are targeting every kind of organization to gain access and then hide themselves for long time in order to hunt down every bit of information required. Increasing number of malwares have been found today and every now and then we come to hear about Malware Attacks, Ransomware Attacks that the adversaries have been hiding for years before shutting down all the systems or before asking for ransom.

The first and the foremost thing for the adversaries once they have gained access to a system is that they need themselves to hide and also to persist on the system. In case the system is restarted or shutdown, the malware should work and they should have access to the system. This technique is mapped to Boot or Logon Autostart Execution — MITRE ATT&CK T1547 and is a sub-technique number 001.

In this case the attackers tries to hide themselves by following means.

A. Adding programs to start at boot time.
B. Adding programs to StartUp folders.
C. Adding programs to Autorun.
D. Run Keys in Windows Registry

There are multiple ways of opening Registry Editor on Windows. At first we can search for it and can open it directly.

Secondly, we can use CMD+R to open up RUN Prompt and type regedit and hit enter.

There are 5 Hives in total which can be seen clearly in the above screenshot.

These hives stored keys, subkeys, and values in other words hives stores information in KEY:VALUE pairs.

The attackers always try to have access to HKLM as it required admin privilege's and also contains all the settings for all the users. In case they are not able to gain access to HKLM they will target the HKCU which only requires the currently login user privilege’s.

As we now understand what these HIVES means, let us take a look onto the actual Keys which attackers take leverage of.





These 2 keys i.e. RUN and RUNONCE comes pre-installed with the operating system. There is another Registry Key named RunOnceEx which does not comes preinstalled but can be created. These are for processes, i.e. the RUN and RUNONCE starts a separate process but RUNONCEEX does not starts a separate process which means that you can be more persistent.

So, we can conclude that,

Similarly, we have RunServices and RunServiceOnce keys as well. Which are responsible for the services running in the background and also for the services which are required to be started-up as soon as the user logs onto the system.

Similar to these the attackers can also take leverage of Windows Policies Keys to set up program/services to be run at the start-up.

The other important registry keys include WinLogon Keys which hold the information of the programs/services etc. to run as soon as the user logs onto the system.

This program runs as soon as the user logs onto the system and sets everything to their default settings. The details can be found in the below screenshot and it can be seen that there are multiple keys with their values assigned. Which means that once the user will log onto the system, these are the default settings which will be initialized.

The attackers can take leverage of this tool and can modify its parameter to put the malware. So, that whenever the user will login or the system boots up the malware will be started along with it.

2. Shell

This Key contains the default value of explorer.exe. This can also be taken advantage of and attackers can set it to malwares executables.

3. BootExecute

This runs autocheck autochk * during the boot time. This by default performs File System/Disk troubleshooting during the boot time. If modified, the malware will once the autochek succeeds.

The attackers can take leverage of this, by modifying the value and adding malware samples/executable to it!

4. Shell Folders & User Shell Folders

These folders contains the keys for the startup programs. Adversaries can take advantage of these keys by modifying them to add their malicious programs.

These are few of the places where adversaries can keep themselves hidden. In my next article I will be showing you how to actually exploit these locations from adversary point of view and will add mitigations to it.

Also, note that these locations are the bare-minimum to be looked after as starting from a low level adversary to top level, these locations will definitely be exploited.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kamran Saifullah

Malware/RE/Firmware Analysis, App Sec/Off Sec, VAPT, Phishing Simulations/SE | Risk Management, IS Governance, Audits, ISO 27001 LI